* Configure your SBS DNS server to allow dynamic updates (you will need this in order to add an additional dc) - I have even switched from ad-integrated mode to standard primary to avoid ad replication issues. Make sure each dns server contains a slave zone for it's partner dns zone, so one SBS can locate the other SBS

* Add each SBS WINS server as a replicating partner (so pre-windows 2000 clients will be able to locate the other domain)

* If you intend to play with w2k3, upgrade your sbs ad schema (run adprep /forestprep followed by adprep /domainprep from the i386 folder on your w2k3 cd or mapped network drive). Make sure you meet requirements for running adprep (you need to have your sbs at sp2 level or more, or have the needed patches - see http://www.petri.co.il/win2003_adprep.htm or better http://support.microsoft.com/?scid=331161). I was in sp3 and it worked fine

* Install the additional server (do not install a dns server, it will make things go slower because you will need to wait for dns replication)

* Make sure your new server is using only sbs dns as it's dns server

* Go through dcpromo

At this point you should have two domain controllers in your sbs forest

Now comes the interesting part.

As you all know, the sbs is a global catalog, and it is handling all 5 fsmo roles.

The trick is to move all the roles to your brand new additional dc, do the same within the other domain, establish the trust relationship, transfer the roles back to sbs's and demote the temporary servers.

Using ntdsutil, move all 5 fmso roles ( i know it might be only one that matters, but do not know yet wich one - I think the pdc emulator ?)

I have also made new dc a global catalog, just to make sure I do not depend on sbs2k at all ;)Of course there are other ways to transfer the fmso roles, but I like it this way, I come from linux world and I like typing :P

* After you make sure that the fsmo roles have transferred to the new dc... go and create your trust as you normally would (note: do this operation on the new dc... not on sbs server!)(For the really paranoid only: disconnect the sbs dc's from network before establishing the trust)

* Transfer back the roles to sbs

* Demote your new dc

* At this point all your MVP friends will still tell you "no, it's not possible, are you speaking about PTA ?" and eventually a Microsoft PSS will repeat saying that "Trust relatioinship is not supported in any SBS suites (SBS 4.0/4/5/2000/2003)"

But you don't care. You've just created a trust between two Small Business 2000 Servers, and yes, you see it working.

5 comments:

gludwig333,is stable enough that somehow the page mysteriously COMPLETELY dissapeared from google search results for "sbs trust", when it used to be in the first results page.is stable enough that the 2008 EULA was modified so you're PREVENTED to do it:"You may not work around any technical limitations in the software"my article is for sbs 2000 and never had enough time and motivation to test on newer versions, actually I'm requesting feedback and since then I never received a single email.

Has anyone done this successfully / can this be done on 2 already existing SBS 2k3 Servers which belong to 2 different networks/AD sites and have their own internet/e-mail domain and users & policies configured!

In your example you install a new fresh sbs2003 and run dcpromo to get the 2nd server shown in server administration. What will dcpromo do to my existing different domain config/setup?

Hi, I ran the configuration and was successful to a point. I got the trust up and running but they dissappeared later before I have moved the GC and FSMO back to the SBS. Would not moving these roles back be a cause for the trust to dissappear on the SBS setup?